1. Field of the Invention
The present invention relates to an authentication system for a wireless LAN application, and more particularly, to a comprehensive authentication and network management system for Wi-Fi LANs.
2. Background Information
LAN stands for “local area network” is generally a computer network generally spanning a relatively small area, such as in an office or a home and are capable of transmitting data at very fast rates. Most LANs are confined to a single building or group of buildings. However, one LAN can be connected to other LANs over distances via telephone lines and radio waves, forming a wide area network or WAN. Most LANs connect end user devices such as workstations and personal computers, known as nodes of a network. Each node (e.g. individual end user device) in a LAN has its own CPU with which it executes programs, but it also is able to access data and devices anywhere on the LAN. This means that many users can share devices, such as printers, as well as data. Users can also use the LAN to communicate with each other, by sending e-mail, or chat sessions or the like.
There are many different types of LANS. LANS can be differentiated by topology, which is the geometric arrangement of devices on the network, such as a ring arrangement or in a straight line arrangement; protocols which are the rules and encoding specifications for sending data; and connection media such as twisted pair wire, coaxial cables, fiber optic or wireless.
The wireless LANs are also referred to as WLANs with Wi-Fi being the dominant WLAN standard. A Wi-Fi WLAN will typically connect two or more computers or other devices over a short distance such as 100 to 500 feet, as within an office, a home or a “hot spot” (discussed below). A wireless wide area network, or WWAN, is a wireless network that covers a broad area, such as an entire city. WWANs operated by major wireless carriers provide voice and relatively low-bandwidth data service over a broad area, require hundreds of communications towers and special spectrum licenses from the government and cost hundreds of millions or billions of dollars to establish and maintain.
Wi-Fi is a contraction of “wireless fidelity” and is a global technical standard for wireless LANs. Wi-Fi is used generically when referring of any type of 802.11 standard network (discussed below), whether an 802.11b standard, an 802.11a standard, an 802.11g standard, a dual-band standard, or the like. Typically, any Wi-Fi product using the same radio frequency (for example, 2.4 GHz for the 802.11b or 11g standards, 5 GHz for the 802.11a standard) will work with any other. Formerly, the term Wi-Fi was used only in place of the 2.4 GHz 802.11b standard, however the general meaning of the term has been expanded. An advantage with the universal Wi-Fi standards is that virtually anyone can set up a low-cost Wi-Fi network and cover a home, an office or a public space to provide network access such as high speed wireless Internet access that is more than 100 times faster than a typical dial-up modem connection.
The term “802.11” refers to a family of specifications developed by the Institute of Electrical and Electronics Engineers, or IEEE, for WLAN technology. The 802.11 standard specifies an over-the-air interface between a wireless client and a base station or between two wireless clients. There are a number of distinct specifications in the 802.11 family.
The 802.11 standard applies to wireless LANS and provides 1 or 2 Mbps transmission in the 2.4 GHz band using either Frequency Hopping Spread Spectrum (FHSS) or Direct Sequence Spread Spectrum (DSSS). The 802.11a standard is an extension to the 802.11 standard that applies to wireless LANs and provides up to 54 Mbps in the 5 GHz band and uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS. The 802.11b standard is also an extension to the 802.11 standard that applies to wireless LANS and provides 11 Mbps transmission (with a fallback to 5.5, 2 and 1 Mbps) in the 2.4 GHz band with 802.11b using only DSSS. The 802.11b standard is the “original” Wi-Fi standard and still accounts for the bulk of all Wi-Fi equipment sold. The 802.11g standard applies to wireless LANs and provides 20+ Mbps in the 2.4 GHz band.
The 802.11g standard is backward compatible with 802.11b standard access points, or APs (discussed below). In other words, an 802.11g standard radio will connect to both 802.11g standard and 802.11b standard APs. The 802.11a standard is not compatible with the 802.11b standard or the 802.11g standard, such that an 802.11a standard radio can only communicate with an 802.11a standard AP. However, many Wi-Fi PC cards now support both the 802.11b/g standards and the 802.11a standard. A new standard is emerging named 802.16 which will provide WWAN with higher speeds than current wireless carrier networks. Additional advantages for the 802.16 standard include the need for much less equipment as well as operation in an unlicensed spectrum, which dramatically decreases infrastructure deployment costs.
An Access point, or AP, is a hardware device or a computer's software that acts as a wireless communication hub or “base station” that transmits and receives Wi-Fi wireless data traffic. An AP is usually attached to a wired LAN which is connected to a specific network, most typically through a router back to the Internet. APs in a typical system are used for providing wireless security as well as for extending the physical range of service a wireless user has access to.
An infrastructure mode is an 802.11 standard networking framework in which devices communicate with each other by first going through an AP. In infrastructure mode, wireless devices can communicate with each other or can communicate with a wired network. Infrastructure mode is contrasted with Ad-hoc mode in which devices in an 802.11 standard network communicate directly with each other, without the use of an AP (e.g. a wireless peer-to-peer mode).
APs in general, and particularly APs that are open to the public, are also called “Hot Spots” with those running APs referred to as Hot Spot Operators or HSOs. Commercial hot spots are generally found in a public location such as a cafe, hotel, airport, book store, office building lobby, park or convention center (referred to as venues) and will contain one or more Wi-Fi access points and access control devices that users can connect to for a fee to gain access to the network that typically offers high-speed wireless access. A free amenity hot spot is a venue offering wireless Internet (or other network) access for free to its patrons and/or the general public. A free amenity hot spot is different than a free community hot spot in that it is set up in a commercial location and is typically intended as a benefit for the patrons of that location. For example, a cafe or hotel may elect to offer wireless access to its patrons for free as a competitive measure. In contrast, a free community hot spot is generally located in a home, park, street corner or other location and also offers wireless access for free. Free community hot spots are established by individuals or groups working to provide free Internet access to a local area rather than as part of a commercial establishment.
A hot spot aggregator, or simply an aggregator, is one who operates several hot spots combining them into a larger, seamless network. Venue owners contract with hot spot aggregators who deploy access points, access control devices (discussed below) and high speed Internet links into their locations. Hot spot aggregators share revenue and/or costs with the venue owner.
Any network, including Wi-Fi networks, will need to control what computer resources specific users have access to and will generally need to keep track of the activity of users over the network. Authentication is the process of identifying an individual, usually relying upon on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users. Authorization is the process of granting or denying a user access to network resources once the user has been authenticated, such as through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level. Finally, accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation. In computer technology, an “identity” is the unique name of a person, device, or the combination of both that is recognized by a system. Many types of network management systems rely on unique identities to ensure the security of the network and its resources.
A virtual private network, or VPN, is a network that is constructed by using public connections (e.g. wires or wireless couplings) to connect devices of a network. A VPN provides a system for securing transmissions across TCP/IP networks (discussed below). A VPN is a secure “tunnel” between two points on the network, through which all traffic is encrypted and secure. For example, VPN software running on a laptop computer can establish a secure connection from the laptop, across the Internet to a VPN server behind a corporate firewall thousands of miles away. Such systems use encryption and other mechanisms (e.g. passwords) to try and ensure that only authorized users can access the network and that the data cannot be intercepted. A VPN overcomes the inherent insecurity in hot spots, which, unlike corporate Wi-Fi networks, generally broadcast without Wi-Fi's encryption capability enabled in order to allow users to easily connect to them.
An access control device is a piece of network equipment typically installed in a commercial hot spot location between one or more APs and the router that connects back to the Internet. The access control device ties into one or more authentication systems and controls who can get access through the wireless network to the Internet. In commercial hot spots, it serves as a Wi-Fi “cash register”, ensuring that only paying users can access the system, and obviously a critical component of a commercial hot spot.
A Wi-Fi radio is a set of computer chips and an antenna that can send and receive Wi-Fi transmissions from a wireless device, such as a laptop, PDA, cell phone, access point, or the like. A Wi-Fi PC Card contains a Wi-Fi radio that can be used by a laptop computer and can be added to a laptop computer to provide Wi-Fi capabilities. A PC card, or PCMCIA {which stands for Personal Computer Memory Card International Association} card, is a lightweight, removable credit-card sized module that adds features to a portable computer. PCMCIA Wi-Fi cards provide inexpensive Wi-Fi capability to laptops and PDAs. Wi-Fi access points also contain one or more Wi-Fi radios. Wi-Fi radios are becoming very inexpensive and will soon be standard in laptops, and other consumer electronics devices such as cars. Wi-Fi radio manufacturers include Intersil, Intel, Atheros, Broadcom, Texas Instruments and Agere.
A “Service Set Identifier”, or SSID is the name given to a Wi-Fi network by the person who sets up an access point. The SSID can be set to broadcast, in which case it can be detected and displayed to the user by “sniffer software”. Sniffer software is software that “sniffs” the airwaves for Wi-Fi signals (or other network signals such as 2.5G), displays them to the user and lets the user connect to them. Basic Wi-Fi sniffer software is built into existing operating systems such as Windows XP and Apple OSX. Further, when a user connects to a commercial hot spot, and opens a Web browser on their computer, the access control device in that location will generate a Web page that “splashes” up on their computer, known as a splash page. The splash page provides information from the hot spot operator of that location on how to log in or sign up.
Code Division Multiple Access, or CDMA, is a digital cellular technology that uses spread-spectrum techniques in which individual conversations are encoded with a pseudo-random digital sequence. In the US, Sprint and Verizon both use CDMA technology. Global System for Mobile Communications, or GSM, is another one of the leading digital cellular systems. GSM uses narrowband Time Division Multiple Access, or TDMA, which allows eight simultaneous calls on the same radio frequency. Unlike these other wireless technologies such as CDMA and GSM, Wi-Fi enjoys 100% global acceptance. It is becoming known as the “TCP/IP of wireless”. In other words it is the single wireless networking standard for all developers, equipment manufacturers, service providers and users. The term “TCP/IP” refers to “Transmission Control Protocol/Internet Protocol” and is the set of standards for how computers and other devices communicate with each other over networks. TCP/IP originated in the 1970's and allowed computers from different manufacturers to talk to each other in a common way for the first time becoming the foundation of the Internet. As with TCP/IP, any innovation in Wi-Fi benefits everyone else in the Wi-Fi community.
Hundreds of original equipment manufacturers, or OEMs, produce and distribute Wi-Fi radios and access points. The single Wi-Fi standard ensures these devices all interoperate with each other, so, for example, an access point made by Sweet Spot Solutions will communicate with a network card from Linksys. In the computer industry, an OEM is typically any company that makes equipment that is sold through a reseller to end users, including desktop computers, laptops and networking equipment such as routers and Wi-Fi PCMCIA cards (or Wi-Fi PC cards) and access points. OEMs include Dell, Sweet Spot Solutions, Sony, Apple, Proxim, Linksys and Cisco.
OEMs are now flooding the market with millions of Wi-Fi PC cards and access points. The single Wi-Fi standard ensures these devices all interoperate with each other, for example, an access point made by Sweet Spot will communicate with a network card from Netgear. Wi-Fi components are now on a consumer adoption price curve. Rapid commoditization of Wi-Fi components has triggered steep declines in the price of Wi-Fi equipment. APs were recently over $1,000, but are $100 or less today, and Wi-Fi cards that were recently $700 now regularly sell for under $50.
As prices have dropped, demand for accessory review Wi-Fi equipment has soared, resulting in millions of private Wi-Fi devices being deployed in offices and homes. One limiting factor is the security of the Wi-Fi networks. A proposed IEEE 802.11i standard is intended to plug some known security holes in IEEE 802.11 wireless LANs, but will not make the Wi-Fi networks completely secure. In order to maximize security in Wi-Fi networks there have to be mechanisms to make sure the data is really coming from its supposed source, that it can't be seen and that it can't be modified. The proposed 802.11i standard will include a system for creating fresh keys at the start of each session. It also will provide a way of checking packets to make sure they are part of a current session and not repeated by hackers to fool network users, Walker said. To manage keys, it will use RADIUS (Remote Access Dial-In User Service) to authenticate users and the IEEE 802.1x standard. Another security upgrade coming soon is known as the WPA (Wireless Protected Access) standard, a specification adopted by the Wi-Fi Alliance. These proposed improvements do not address all of the security issues with Wi-Fi networks.
WEP is short for Wired Equivalent Privacy, and is a security protocol for wireless local area networks. WEP is designed to provide the same level of security as that of a wired LAN. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another. However, it has been found that WEP is not as secure as once believed. With WEP, a passive network attack takes advantage of several WEP weaknesses in the key-scheduling algorithm of RC4 and allows almost anyone with a WLAN-enabled laptop and some readily available “promiscuous” network software to retrieve a network's key, thereby gaining full user access in less than 15 minutes. It scales linearly with the number of bits used making little to no difference if the key increases to 128 bits.
Many existing Wi-Fi networks don't even utilize, basic protection against “war driving,” in which interlopers drive by buildings or park outside and intercept wireless LAN traffic. As a partial defense against “war driving,” users can utilize the WEP encryption that is already built in to Wi-Fi devices. For additional protection, users can implement user authentication and dynamic WEP, with keys that change, to protect themselves from “script kiddies,” which references those (often teenagers) who use packaged hacking tools to infiltrate systems. Existing authentication systems include EAP-TLS (Extensible Authentication Protocol-Transport Level Security), PEAP (Protected EAP), or Cisco's LEAP (Lightweight EAP), which Cisco introduced as part of an effort to boost its own products' security beyond WEP. Strong encryption systems are also available such as TKIP (Temporal Key Integrity Protocol), which will be used in WPA and 802.11i, or CKIP (Cisco Key Integrity Protocol), a proprietary implementation of the 802.11i recommendations that Cisco developed as a stop-gap measure.
U.S. Pat. No. 6,658,500 discloses an authentication system for a communications network (cable, cellular, cordless or land line telephony systems) in which a microchip card for the device is used for permitting access. This proposed security system is not identified for or practical for Wi-Fi networks. Another security system for cellular networks is described in U.S. Pat. No. 6,611,913 describing an escrowed key distribution system for authentication keys.
U.S. published patent application U.S. 2004/0022186 to Kump et al proposes a Wi-Fi network in which will monitor access points and then identify unauthorized access points and finally apply filters to the flow of data through the unauthorized access points. The solution requires the ability to accurately detect unauthorized nodes and does not adequately prevent the access of such unauthorized nodes to begin with.
As identified above, there is a need in the industry to address the perceived security weaknesses of Wi-Fi networks to fully expand the potential of such networks. It is an object of the present invention to provide a comprehensive authentication and network management system for Wi-Fi LANs that addresses the security issues of users. It is another object of the present invention to provide a comprehensive authentication and network management system for Wi-Fi LANs that provides a turn key authentication system for hot spot operators which operate within the hot spot. It is another object of the present invention to provide a comprehensive authentication and network management system for Wi-Fi LANs that simplifies the management of a variety of distinct hot spots. It is another object of the present invention to provide a comprehensive authentication and network management system for Wi-Fi LANs that is economically manufactured and easily usable with a variety of hot spot business applications.